3

I need to authenticate and authorize the application using Google's Service Account flow in perl. Google does not seem to list perl as a supported language in their documentation. Has any one faced this issue? Pointers to any code out there?

4

1 回答 1

0

搜索 perl Google OAUTH,您会发现许多不同的方法。

有关可用于为您适当配置的 Google Cloud API 项目收集 OAUTH 令牌的快速 Web 服务器的示例,请参阅以下内容:

#!perl

use strict; use warnings; ## required because I can't work out how to get percritic to use my modern config
package goauth;

# ABSTRACT: CLI tool with mini http server for negotiating Google OAuth2 Authorisation access tokens that allow offline access to Google API Services on behalf of the user. 

# 
# Supports multiple users
# similar to that installed as part of the WebService::Google module
# probably originally based on https://gist.github.com/throughnothing/3726907

# OAuth2 for Google. You can find the key (CLIENT ID) and secret (CLIENT SECRET) from the app console here under "APIs & Auth" 
# and "Credentials" in the menu at https://console.developers.google.com/project.

# See also https://developers.google.com/+/quickstart/.

use strict;
use warnings;
use Carp;
use Mojolicious::Lite;
use Data::Dumper;
use Config::JSON;
use Tie::File;
use feature 'say';
use Net::EmptyPort qw(empty_port);

use Crypt::JWT qw(decode_jwt);

my $filename;
if ( $ARGV[0] )
{
  $filename = $ARGV[0];
}
else
{
  $filename = './gapi.json';
}

if ( -e $filename )
{
  say "File $filename exists";
  input_if_not_exists( ['gapi/client_id', 'gapi/client_secret', 'gapi/scopes'] ); ## this potentially allows mreging with a json file with data external
                                                                                  ## to the app or to augment missing scope from file generated from 
                                                                                  ##  earlier versions of goauth from other libs
  runserver();
}
else
{
  say "JSON file '$filename' with OAUTH App Secrets and user tokens not found. Creating new file...";
  setup();
  runserver();
}

sub setup
{
  ## TODO: consider allowing the gapi.json to be either seeded or to extend the credentials.json provided by Google
  my $oauth = {};
  say "Obtain project app client_id and client_secret from http://console.developers.google.com/";
  print "client_id: ";

  $oauth->{ client_id } = _stdin() || croak( 'client_id is required and has no default' );
  print "client_secret: ";

  $oauth->{ client_secret } = _stdin() || croak( 'client secret is required and has no default' );

  print 'scopes ( space sep list): eg - email profile https://www.googleapis.com/auth/plus.profile.emails.read '
    . "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/contacts.readonly https://mail.google.com\n";

  $oauth->{ scopes } = _stdin();    ## no croak because empty string is allowed an will evoke defaults

  ## set default scope if empty string provided
  if ( $oauth->{ scopes } eq '' )
  {
    $oauth->{ scopes }
      = 'email profile https://www.googleapis.com/auth/plus.profile.emails.read '
      . 'https://www.googleapis.com/auth/calendar '
      . 'https://www.googleapis.com/auth/contacts.readonly https://mail.google.com';
  }

  my $tokensfile = Config::JSON->create( $filename );
  $tokensfile->set( 'gapi/client_id',     $oauth->{ client_id } );
  $tokensfile->set( 'gapi/client_secret', $oauth->{ client_secret } );
  $tokensfile->set( 'gapi/scopes',        $oauth->{ scopes } );
  say 'OAuth details  updated!';

  # Remove comment for Mojolicious::Plugin::JSONConfig compatibility
  tie my @array, 'Tie::File', $filename or croak $!;
  shift @array;
  untie @array;
  return 1;
}

sub input_if_not_exists
{
  my $fields = shift;
  my $config = Config::JSON->new( $filename );
  for my $i ( @$fields )
  {
    if ( !defined $config->get( $i ) )
    {
      print "$i: ";

      #chomp( my $val = <STDIN> );
      my $val = _stdin();
      $config->set( $i, $val );
    }
  }
  return 1;
}

sub runserver
{
  my $port = empty_port( 3000 );
  say "Starting web server. Before authorization don't forget to allow redirect_uri to http://127.0.0.1 in your Google Console Project";
  $ENV{ 'GOAUTH_TOKENSFILE' } = $filename;

  my $config = Config::JSON->new( $ENV{ 'GOAUTH_TOKENSFILE' } );


  # authorize_url and token_url can be retrieved from OAuth discovery document
  # https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/issues/52
  plugin "OAuth2" => {
    google => {
      key           => $config->get( 'gapi/client_id' ),                                    # $config->{gapi}{client_id},
      secret        => $config->get( 'gapi/client_secret' ),                                #$config->{gapi}{client_secret},
      authorize_url => 'https://accounts.google.com/o/oauth2/v2/auth?response_type=code',
      token_url     => 'https://www.googleapis.com/oauth2/v4/token' ## NB Google credentials.json specifies "https://www.googleapis.com/oauth2/v3/token" 
    }
  };

# Marked for decomission
#  helper get_email => sub {
#    my ( $c, $access_token ) = @_;
#   my %h = ( 'Authorization' => 'Bearer ' . $access_token );
#    $c->ua->get( 'https://www.googleapis.com/auth/plus.profile.emails.read' => form => \%h )->res->json;
#  };

  helper get_new_tokens => sub {
    my ( $c, $auth_code ) = @_;
    my $hash = {};
    $hash->{ code }          = $c->param( 'code' );
    $hash->{ redirect_uri }  = $c->url_for->to_abs->to_string;
    $hash->{ client_id }     = $config->get( 'gapi/client_id' );
    $hash->{ client_secret } = $config->get( 'gapi/client_secret' );
    $hash->{ grant_type }    = 'authorization_code';
    my $tokens = $c->ua->post( 'https://www.googleapis.com/oauth2/v4/token' => form => $hash )->res->json;
    return $tokens;
  };

  get "/" => sub {
    my $c = shift;
    $c->{ config } = $config;
    app->log->info( "Will store tokens in" . $config->getFilename( $config->pathToFile ) );

    if ( $c->param( 'code' ) ) ## postback from google 
    {
      app->log->info( "Authorization code was retrieved: " . $c->param( 'code' ) );
      my $tokens = $c->get_new_tokens( $c->param( 'code' ) );
      app->log->info( "App got new tokens: " . Dumper $tokens);
      if ( $tokens )
      {
        my $user_data;
        if ( $tokens->{ id_token } )
        {
          # my $jwt = Mojo::JWT->new(claims => $tokens->{id_token});
          # carp "Mojo header:".Dumper $jwt->header;

          # my $keys = $c->get_all_google_jwk_keys(); # arrayref
          # my ($header, $data) = decode_jwt( token => $tokens->{id_token}, decode_header => 1, key => '' ); # exctract kid
          # carp "Decode header :".Dumper $header;

          $user_data = decode_jwt( token => $tokens->{ id_token }, kid_keys => $c->ua->get( 'https://www.googleapis.com/oauth2/v3/certs' )->res->json, );
          #carp "Decoded user data:" . Dumper $user_data;
        }

        #$user_data->{email};
        #$user_data->{family_name}
        #$user_data->{given_name}
        # $tokensfile->set('tokens/'.$user_data->{email}, $tokens->{access_token});
        $config->addToHash( 'gapi/tokens/' . $user_data->{ email }, 'access_token', $tokens->{ access_token } );

        if ( $tokens->{ refresh_token } )
        {
          $config->addToHash( 'gapi/tokens/' . $user_data->{ email }, 'refresh_token', $tokens->{ refresh_token } );
        }
        else ## with access_type=offline set we should receive a refresh token unless user already has an active one.
        {
          carp('Google JWT Did not incude a refresh token - when the access token expires services will become inaccessible');
        }
      }
      $c->render( json => $config->get( 'gapi' ) );
    }
    else ## PRESENT USER DEFAULT PAGE TO REQUEST GOOGLE AUTH'D ACCESS TO SERVICES
    {
      $c->render( template => 'oauth' );
    }
  };
  app->secrets( ['putyourownsecretcookieseedhereforsecurity' . time] ); ## NB persistence cookies not required beyond server run
  app->start( 'daemon', '-l', "http://*:$port" );
  return 1;
}

## replacement for STDIN as per https://coderwall.com/p/l9-uvq/reading-from-stdin-the-good-way
sub _stdin
{
  my $io;
  my $string = q{};

  $io = IO::Handle->new();
  if ( $io->fdopen( fileno( STDIN ), 'r' ) )
  {
    $string = $io->getline();
    $io->close();
  }
  chomp $string;
  return $string;
}


=head2 TODO: Improve user interface of the HTML templates beneath DATA section

=over 1

=item * include Auth with Google button from Google Assets and advertise scopes reqeusted on the oauth.html

=item * More informative details on post-authentication page - perhaps include scopes, filename updated and instructions on revoking

=back

=cut

__DATA__

@@ oauth.html.ep

<%= link_to "Click here to get Google OAUTH2 tokens", $c->oauth2->auth_url("google",
    authorize_query => { access_type => 'offline'},
        scope => $c->{config}->get('gapi/scopes'), ## scope => "email profile https://www.googleapis.com/auth/plus.profile.emails.read https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/contacts.readonly",
         )
%>

<br>
<br>

<a href="https://developers.google.com/+/web/api/rest/oauth#authorization-scopes">
Check more about authorization scopes</a>
Once you have a token in your gapi.json you can check the available scopes with curl using <pre>curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<YOUR_ACCESS_TOKEN></pre>

__END__
于 2018-10-09T02:28:51.573 回答